M'nkhaniyi, ndikufuna kukupatsani malangizo atsatanetsatane amomwe mungatumizire mwachangu chiwembu chowopsa kwambiri pakadali pano. VPN yakutali mwayi woyambira AnyConnect ndi Cisco ASA - VPN Load Balancing Cluster.
Chiyambi: Makampani ambiri padziko lonse lapansi, potengera momwe zinthu ziliri ndi COVID-19, akuyesetsa kusamutsa antchito awo kukagwira ntchito zakutali. Chifukwa cha kusintha kwakukulu kupita ku ntchito yakutali, katundu pazipata za VPN zomwe zilipo kale zamakampani zikuchulukirachulukira ndipo kuthekera kofulumira kwambiri kumafunikira. Kumbali inayi, makampani ambiri amakakamizika kudziwa mwachangu lingaliro la ntchito yakutali kuyambira pachiyambi.
Pofuna kuthandiza mabizinesi kupeza mwayi wopezeka mosavuta wa VPN kwa ogwira ntchito munthawi yochepa kwambiri, Cisco ikupereka chilolezo kwa kasitomala wa AnyConnect wolemera wa SSL-VPN kwa milungu 13. .
.
Ndakonzekera ndondomeko ya sitepe ndi sitepe kuti mutumize mosavuta VPN Load-Bancing Cluster monga teknoloji yowopsa kwambiri ya VPN.
Chitsanzo chomwe chili pansipa chidzakhala chosavuta potengera kutsimikizika ndi kuvomereza ma aligorivimu omwe amagwiritsidwa ntchito, koma idzakhala njira yabwino yoyambira mwachangu (yomwe pakali pano sikwanira kwa ambiri) ndi kuthekera kosintha mozama pazosowa zanu panthawi yotumiza. ndondomeko.
Zambiri mwachidule: Ukadaulo wa VPN Load Balancing Cluster siwolephera komanso si ntchito yophatikizira m'lingaliro lake, ukadaulo uwu ukhoza kuphatikiza mitundu yosiyana ya ASA (ndi zoletsa zina) kuti muthe kulumikiza kulumikizana kwa Remote-Access VPN. Palibe kulunzanitsa kwa magawo ndi masinthidwe pakati pa node za gulu loterolo, koma ndizotheka kunyamula zolumikizana za VPN ndikuwonetsetsa kulolerana kolakwika kwa maulumikizidwe a VPN mpaka node imodzi yogwira ikhalebe mgulu. Katundu mgululi amakhala wokhazikika malinga ndi kuchuluka kwa ntchito za node ndi kuchuluka kwa magawo a VPN.
Kwa failover ya node yeniyeni ya cluster (ngati ikufunika), filer ingagwiritsidwe ntchito, kotero kugwirizana kogwira kudzayendetsedwa ndi Node Yoyamba ya fayilo. The fileover sizinthu zofunikira kuti zitsimikizire kulolerana kwa zolakwika mkati mwa gulu la Load-Bancing, gululo palokha, ngati node yalephera, idzasamutsira gawo la ogwiritsa ntchito kumalo ena amoyo, koma popanda kupulumutsa kugwirizana, zomwe ziri ndendende. zoperekedwa ndi filer. Chifukwa chake, ndizotheka, ngati kuli kofunikira, kuphatikiza matekinoloje awiriwa.
Gulu la VPN Load-Bancing litha kukhala ndi ma node opitilira awiri.
VPN Load-Bancing Cluster imathandizidwa pa ASA 5512-X ndi pamwambapa.
Popeza ASA iliyonse mkati mwa gulu la VPN Load-Bancing ndi gawo lodziyimira pawokha malinga ndi zoikamo, timachita masitepe onse pa chipangizo chilichonse.
The logic topology yachitsanzo chomwe chaperekedwa:
Kutumiza Koyambirira:
-
Timatumiza zitsanzo za ASAv za ma tempuleti omwe tikufuna (ASAv5/10/30/50) kuchokera pachithunzichi.
-
Timagawira mawonekedwe a INSIDE / OUTSIDE ku ma VLAN omwewo (Kunja kwa VLAN yake, INSIDE mwayokha, koma kawirikawiri mkati mwa gululo, onani topology), ndikofunikira kuti ma interfaces amtundu womwewo akhale gawo limodzi la L2.
-
Zilolezo:
- Pakadali pano kuyika kwa ASAv sikukhala ndi ziphaso zilizonse ndipo kungokhala 100kbps.
- Kuti muyike laisensi, muyenera kupanga chizindikiro mu Smart-Account yanu: -> Smart Software Licensing
- Pazenera lomwe limatsegulidwa, dinani batani Chizindikiro Chatsopano
- Onetsetsani kuti pawindo lomwe limatsegula pali gawo logwira ntchito ndipo chizindikiro chafufuzidwa Lolani magwiridwe antchito oyendetsedwa ndi kutumiza kunja⦠Popanda gawoli logwira ntchito, simungathe kugwiritsa ntchito ntchito zachinsinsi komanso, motero, VPN. Ngati gawoli silikugwira ntchito, chonde funsani gulu la akaunti yanu ndikufunsani kuti mutsegule.
- Pambuyo kukanikiza batani Pangani Chizindikiro, chizindikiro chidzapangidwa chomwe tidzagwiritse ntchito kuti tipeze chilolezo cha ASAv, koperani:
- Bwerezani masitepe C, D, E pa ASAv iliyonse yomwe yatumizidwa.
- Kuti tikopere chizindikirocho mosavuta, tiyeni tilole telnet kwakanthawi. Tiyeni tikonze ASA iliyonse (chitsanzo chomwe chili pansipa chikuwonetsa zosintha pa ASA-1). telnet siigwira ntchito ndi kunja, ngati mukuifunadi, sinthani chitetezo kukhala 100 kupita kunja, ndikubwezanso.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !- Kuti mulembetse chizindikiro mumtambo wa Smart-Account, muyenera kupereka intaneti ya ASA, .
Mwachidule, ASA ndiyofunika:
- kudzera pa HTTPS kupita pa intaneti;
- kalunzanitsidwe nthawi (moyenera, kudzera NTP);
- seva ya DNS yolembetsa;
- Timalumikizana ndi ASA yathu ndikupanga makonda kuti titsegule laisensi kudzera pa Smart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠ°Π±ΠΎΡΡ DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠΈΠ½Ρ ΡΠΎΠ½ΠΈΠ·Π°ΡΠΈΡ NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π½Π°ΡΠ΅ΠΉ ASAv Π΄Π»Ρ Smart-Licensing (Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΠΠ°ΡΠΈΠΌ ΠΏΡΠΎΡΠΈΠ»Π΅ΠΌ, Π² ΠΌΠΎΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ 100Π Π΄Π»Ρ ΠΏΡΠΈΠΌΠ΅ΡΠ°) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! Π ΡΠ»ΡΡΠ°Π΅ Π½Π΅ΠΎΠ±Ρ ΠΎΠ΄ΠΈΠΌΠΎΡΡΠΈ ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΡΡΡΠΎΠΈΡΡ Π΄ΠΎΡΡΡΠΏ Π² ΠΠ½ΡΠ΅ΡΠ½Π΅Ρ ΡΠ΅ΡΠ΅Π· ΠΏΡΠΎΠΊΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΉ Π±Π»ΠΎΠΊ ΠΊΠΎΠΌΠ°Π½Π΄: !call-home ! http-proxy ip_address port port ! ! ΠΠ°Π»Π΅Π΅ ΠΌΡ Π²ΡΡΠ°Π²Π»ΡΠ΅ΠΌ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ ΠΈΠ· ΠΏΠΎΡΡΠ°Π»Π° Smart-Account ΡΠΎΠΊΠ΅Π½ (<token>) ΠΈ ΡΠ΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>- Timayang'ana kuti chipangizochi chidalembetsa bwino laisensi ndipo zosankha zachinsinsi zilipo:
-
Khazikitsani SSL-VPN yoyambira pachipata chilichonse
- Kenako, sinthani mwayi wofikira kudzera pa SSH ndi ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! ΠΠΎΠ΄Π½ΠΈΠΌΠ΅ΠΌ ΡΠ΅ΡΠ²Π΅Ρ HTTPS Π΄Π»Ρ ASDM Π½Π° ΠΏΠΎΡΡΡ 445 ΡΡΠΎΠ±Ρ Π½Π΅ ΠΏΠ΅ΡΠ΅ΡΠ΅ΠΊΠ°ΡΡΡΡ Ρ SSL-VPN ΠΏΠΎΡΡΠ°Π»ΠΎΠΌ ! vpn-demo-1(config)# http server enable 445 !- Kuti ASDM igwire ntchito, muyenera kuitsitsa koyamba patsamba la cisco.com, ineyo ndi fayilo ili:
- Kuti kasitomala wa AnyConnect agwire ntchito, muyenera kukweza chithunzi ku ASA iliyonse pakompyuta iliyonse ya OS yomwe imagwiritsidwa ntchito (yokonzekera kugwiritsa ntchito Linux / Windows / MAC), mudzafunika fayilo yokhala ndi Phukusi la Headend Deployment Mumutu:
- Mafayilo otsitsidwa amatha kukwezedwa, mwachitsanzo, ku seva ya FTP ndikukwezedwa kwa ASA aliyense payekha:
- Timakonza setifiketi ya ASDM ndi Self-signed ya SSL-VPN (ndikofunikira kugwiritsa ntchito satifiketi yodalirika popanga). FQDN yokhazikitsidwa ya Virtual Cluster Address (vpn-demo.ashes.cc), komanso FQDN iliyonse yolumikizidwa ndi adilesi yakunja ya nodi ya gulu lililonse, iyenera kuthetseratu mu gawo lakunja la DNS kupita ku adilesi ya IP ya mawonekedwe a OUTSIDE (kapena ku adilesi yojambulidwa ngati kutumiza kwa doko udp/443 kukugwiritsidwa ntchito (DTLS) ndi tcp/443(TLS)). Zambiri pazofunikira pa satifiketi zafotokozedwa m'gawoli Chitsimikizo Chachiphaso zolemba.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA- Musaiwale kutchula doko kuti muwonetsetse kuti ASDM ikugwira ntchito, mwachitsanzo:
- Tiyeni tichite zoikamo zoyambira za tunnel:
- Tiyeni tipange maukonde amakampani kudzera mumsewu, ndikulola intaneti kuti ipite molunjika (osati njira yotetezeka kwambiri ngati palibe zoteteza pa wolumikizira, ndizotheka kulowa kudzera pagulu lomwe lili ndi kachilombo ndikuwonetsa zambiri zamakampani, njira. kugawanika kwa ndondomeko ya tunnel idzalola anthu onse obwera nawo kulowa mumsewu. Komabe kugawanika-ngalande kumapangitsa kutsitsa chipata cha VPN osati kukonza kuchuluka kwa anthu pa intaneti)
- Tiyeni tipereke maadiresi kuchokera ku 192.168.20.0/24 subnet kupita ku makamu mumsewu (dziwe kuyambira 10 mpaka 30 maadiresi (pa mfundo #1)). Node iliyonse yamagulu a VPN iyenera kukhala ndi dziwe lake.
- Tidzachita zotsimikizika zoyambira ndi wogwiritsa ntchito wopangidwa kwanuko pa ASA (Izi sizovomerezeka, iyi ndiye njira yosavuta), ndibwino kutsimikizira kudzera LDAP/RADIUS, kapena bwino, tayi Multi-Factor Authentication (MFA), mwachitsanzo Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !- (KUSAKIRA): Muchitsanzo chomwe chili pamwambapa, tidagwiritsa ntchito wogwiritsa ntchito wamba pa ITU kuti titsimikizire ogwiritsa ntchito akutali, zomwe, kupatula mu labotale, sizigwira ntchito bwino. Ndipereka chitsanzo cha momwe mungasinthire mwachangu makonzedwe kuti mutsimikizire UTALIZO seva, mwachitsanzo ntchito Injini ya Cisco Identity Services:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !Kuphatikizika kumeneku kunapangitsa kuti zikhale zotheka osati kuphatikizira mwachangu njira yotsimikizika ndi ntchito yolondolera ya AD, komanso kusiyanitsa ngati kompyuta yolumikizidwa ndi ya AD, kumvetsetsa ngati chipangizochi ndi chakampani kapena chamunthu, ndikuwunika momwe chida cholumikizidwa chilili. .
- Tiyeni tikonze Transparent NAT kuti magalimoto pakati pa kasitomala ndi zinthu za network network asalembedwe:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp- (KUSAKHALITSA): Kuti tiwonetse makasitomala athu pa intaneti kudzera pa ASA (pogwiritsa ntchito tunnel options) pogwiritsa ntchito PAT, komanso kutuluka kudzera mu mawonekedwe a OUTSIDE omwewo omwe amalumikizidwa, muyenera kupanga zoikamo zotsatirazi:
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !- Mukamagwiritsa ntchito cluster, ndikofunikira kwambiri kuti maukonde amkati amvetsetse kuti ndi ASA iti yobwereranso kwa ogwiritsa ntchito, chifukwa cha izi muyenera kugawanso njira / ma adilesi 32 operekedwa kwa makasitomala.
Pakadali pano, sitinakonze masango, koma tili kale ndi zipata za VPN zomwe zitha kulumikizidwa payekha kudzera pa FQDN kapena IP.
Tikuwona kasitomala wolumikizidwa patebulo lamayendedwe la ASA yoyamba:
Kuti gulu lathu lonse la VPN ndi netiweki yamakampani onse adziwe njira yopita kwa kasitomala wathu, tidzagawiranso chiwongolero chamakasitomala kukhala njira yosinthira, mwachitsanzo OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTETsopano tili ndi njira yopita kwa kasitomala kuchokera pachipata chachiwiri cha ASA-2 ndipo ogwiritsa ntchito olumikizidwa kuzipata zosiyanasiyana za VPN mkati mwa tsango amatha, mwachitsanzo, kulumikizana mwachindunji kudzera pa foni yam'manja yamakampani, komanso kubweza magalimoto kuchokera kuzinthu zomwe wogwiritsa ntchito akufuna. bwerani pachipata chomwe mukufuna VPN:
-
Tiyeni tipitirire kukonza gulu la Load-Bancing.
Adilesi 192.168.31.40 idzagwiritsidwa ntchito ngati Virtual IP (VIP - makasitomala onse a VPN adzalumikizana nawo poyamba), kuchokera ku adilesi iyi Master cluster ipanga REDIRECT ku node yodzaza masango. Osayiwala kulemba patsogolo ndikusintha mbiri ya DNS onse pa adilesi iliyonse yakunja / FQDN ya node iliyonse ya gulu, komanso VIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#- Timayang'ana magwiridwe antchito a cluster ndi makasitomala awiri olumikizidwa:
- Tiyeni tipangitse kuti kasitomala akhale wosavuta ndi mbiri ya AnyConnect yodzilowetsa yokha kudzera pa ASDM.
Timatchula mbiriyi m'njira yabwino ndikugwirizanitsa mfundo zamagulu athu:
Pambuyo pa kulumikizidwa kwina kwa kasitomala, mbiriyi idzatsitsidwa yokha ndikuyika mu kasitomala wa AnyConnect, kotero ngati mukufuna kulumikiza, muyenera kungoisankha pamndandanda:
Popeza tidapanga mbiriyi pa ASA imodzi yokha pogwiritsa ntchito ASDM, musaiwale kubwereza masitepe a ma ASA ena mgululi.
Kutsiliza: Chifukwa chake, tidatumiza mwachangu gulu la zipata zingapo za VPN zokhala ndi zowongolera zokha. Kuwonjezera ma node atsopano pagulu ndikosavuta, ndikukulitsa kosavuta kopingasa potumiza makina atsopano a ASAv kapena kugwiritsa ntchito ma ASA a hardware. Makasitomala olemera a AnyConnect amatha kukulitsa kulumikizana kotetezeka kwakutali pogwiritsa ntchito Kaimidwe (chiwerengero cha boma), yogwiritsidwa ntchito mothandizana kwambiri ndi dongosolo la centralized control ndi access accounting Identity Services Engine.
Source: www.habr.com